Root password and the Sudoers File

busonerd

Registered
the file /private/etc/sudoers is a file Not to touch for unix newbies!

(Like I was)

This file is accesible by default only to the root user.
But, as we all know, Apple has CONVINIENTLY locked the root users password!

So I figured, hmm- sudo, sudoers?
And I tried

sudo chmod 777 sudoers

(because the file was locked by apple and I needed to sudo in)

Hmm. A while later I decided to sudo/chmod another file.

And I got this delightful error message on my screen

/etc/sudoers is 777. must be 0440

But now we have the catch!

I cant use SUDO anymore to CHANGE BACK THE SUDOERS FILE

So. I had just learned how to lock myself out of sudo. Permanently.

So. The only solutions (that I thought of) were

1: Reinstall osx. (not plesant)
2: 'Modify' the root user password

Now on to the root user password.

For this you will need:
1 admin account

(as in users control panel..... [not a REAL admin acct.])

Open Applications-->Utilities-->NetInfo Manager

Click the little Lock-Thingy in the bottom left corner and unlock it.

Use the netinfo directory browser to browse to the 'users' directory and choose your user (or any user to which you know the password)

select the text to the right of the 'passwd'

copy this into the same field as the root user.

Logout as in standard in OSX
and login as
login: Root
password: YourNewPassword (not the garbled stuff, the actual password)

If you have any questions, just respond And I will help you!



 
Good technique for getting into root.

I wonder if you just delete root's password if you could login as root without a password and <em>then</em> reset it.

-Rob
 
I am really a unix newbie with scattered experience in various areas. Probably that will work!
(though because unix uses the CRYPT command to generate a passwd, and crypting nothing still gives a big string.. I dunno now)

(I just knew I could copy it so I used that)

Thanks Rob
 
You can just go into NetInfo Manager's Domain menu , go into Security, and select Enable Root User.
ACohn2
 
The method describe for "setting" the root password via the NetInfo db is pretty cool :)

However, I would recommend AGAINST logging in to OSX as the user "root"

the user "root" is the real root (top level/highest privs ) user under OSX, the "Administrator" password used in the GUI tools is a special entry adn not the same thing.

If you login as 'root', it will create a set of files and directory structure under 'root's home directory and this could very well be messy.

Easier to use the right tool for the job :)

Under a normal user login, bring up a terminal window, and type su - this will ask for the 'root' password.
and will give you a shell in a terminal running as root. (to test type whoami ).

once you're done, just exit out of the root shell.

Also, I haven't checked if it's there, but to edit sudoers file, you should use the visudo command, it has a pre-parser to check the file for possible misconfigurations before it saves the file.

Cheers, Andrew
 
Andrew and acohn2,

(1) Acohn2: Thanks for the tip about enabling the Super User password in the Netinfo window. That was a piece of the puzzle.

(2) Andrew: Thanks for the tip on how to gain root-level access in Terminal with 'su' (the password being set in Netinfo).

I don't know HOW I ever would've deduced that I needed to do those two things without your posts. Thanks!



 
Probably your ideas would have been much simpler to do, but at that time, that was the only solution I could improvise. Thanks for your help!


--David
 
an even easier way was suggested to me and it works! just boot from the OSX CD and when you get to the intall screen, go up under the menubar and you'll see a "reset password" or similar choice. (I'm at work not on OSX so dont recall verbatim) check this and it will allow you to reset the root password.
 
my 5 cents;
seems to me that if you've the knowhow and GUTS to log in as root to change some stuff you should do it the "correct" way, which it seems would be the method shown by acohn2. now you have a true root account and you do get an encrypted password for root out of the deal which, also seems to be the way to go. me, way new to unix but chewing and chewing
-sg
 
an even easier way was suggested to me and it works! just boot from the OSX CD and when you get to the intall screen, go up under the menubar and you'll see a "reset password" or similar choice. (I'm at work not on OSX so dont recall verbatim) check this and it will allow you to reset the root password.

Whoa!

That sounds like a major security issue to me... unless you have to put in the old password. Anyone know about this?
 
Originally posted by knighthawk


Whoa!

That sounds like a major security issue to me... unless you have to put in the old password. Anyone know about this?

It's very similar to the "bug" with Mac OS 9's Multiple Users. If you boot from an OS 9 system CD on a computer that uses Multiple Users, the system will load the exrtensions set from the CD, not the hard drive, which then des not load Multiple Users. You can then use the MacOS Set Up assistant to reset the admin password to whatever you want.
 
This is not really a security hole at all. It has always been well known in the unix/linux industry that anyone with access to your machine can take over the machine. These OS's are designed with network security in mind, if you need a machine that no one can break into, you'll be hard pressed to find one. Every flavor of linux that I have ever seen has similar vulnerabilities, shadow password files made it hard to find a user's password, but it is still very easy to (re)create one. Any machine with mission-critical or sensative data should not be located in an area where people have access to it, no matter what OS you're running. Just thought I'd add my .02
 
Back
Top